Researchers track Ron Paul spam back to Reactor botnet

Security researchers have tracked a recent wave of Ron Paul spam back to a …

In a report published this week by security firm SecureWorks, researchers reveal that the recent flurry of Ron Paul spam originated from a Reactor botnet controlled by a commercial spammer through a colocation facility in the US.

The researchers analyzed header elements of the spam e-mails to trace them back to zombie systems that were infected with the Srizbi trojan, an unusual piece of malware with highly advanced features. According to Symantec research, which has independently studied Srizbi, the trojan is one of the first pieces of malware found in the wild to operate fully in kernel mode with no userspace code. Srizbi bypasses firewalls and packet sniffers by directly manipulating the kernel-level TCP/IP stack. The Srizbi trojan is largely propagated by the well-known msiesettings.com site, which is paid by spammers to deploy viruses and trojans for spam botnets.

SecureWorks collaborated with network administrators to analyze the traffic from some of the computers infected with Srizbi that were responsible for sending the Ron Paul spam. This allowed the researchers to discover the location from which the botnet was operated—a colocation facility in the US. The researchers collaborated with Spamhaus to get the server shut down and then obtained the source code used on the control system, a Python-based spam botnet management tool known as the Reactor Mailer. The logs present on the system prove that it was indeed the origin of the Ron Paul spam. Further research showed that other systems in the same colocation facility were also controlling various segments of the Srizbi botnet, and using it to transmit spam advertising replica watches and enlargement pills.

The evidence leads researchers to conclude that the Ron Paul spam was transmitted by a spammer called nenastnyj who operated a single node in a colocation facility and was likely affiliated with or renting access from the Reactor syndicate. The messages were transmitted by approximately 3,000 bots using a 3.4GB e-mail database file with over 160,000,000 addresses.

"While the total count of Ron Paul spam messages that actually landed in peoples' inboxes can't be known, it certainly was received by millions of recipients," writes the author of the SecureWorks report. "All this was done using around 3,000 bots—this speaks to the efficiency of the template-based spam botnet model over the older proxy-based methods. The front-end also plays a part in the efficiency, by allowing the spammer to check the message's SpamAssassin score before hitting send, simplifying the process of filter evasion and ensuring maximum delivery for the message."

Although it's likely that somebody paid nenastnyj to transmit the Ron Paul spam, there is no evidence to indicate that it was anyone directly associated with the Ron Paul campaign.